Skip to content
Advertisements

Posts tagged ‘cybersecurity’

74% Of Data Breaches Start With Privileged Credential Abuse

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. Photo credit: iStock

Enterprises who are prioritizing privileged credential security are creating a formidable competitive advantage over their peers, ensuring operations won’t be interrupted by a breach. However, there’s a widening gap between those businesses protected from a breach and the many who aren’t. In quantifying this gap consider the typical U.S.-based enterprise will lose on average $7.91M from a breach, nearly double the global average of $3.68M according to IBM’s 2018 Data Breach Study.

Further insights into how wide this gap is are revealed in Centrify’s Privileged Access Management in the Modern Threatscape survey results published today. The study is noteworthy as it illustrates how wide the gap is between enterprises’ ability to avert and thwart breaches versus their current levels of Privileged Access Management (PAM) and privileged credential security. 74% of IT decision makers surveyed whose organizations have been breached in the past, say it involved privileged access credential abuse, yet just 48% have a password vault, just 21% have multi-factor authentication (MFA) implemented for privileged administrative access, and 65% are sharing root or privileged access to systems and data at least somewhat often.

Addressing these three areas with a Zero Trust approach to PAM would make an immediate difference in security.

“What’s alarming is that the survey reveals many organizations, armed with the knowledge that they have been breached before, are doing too little to secure privileged access. IT teams need to be taking their Privileged Access Management much more seriously, and prioritizing basic PAM strategies like vaults and MFA while reducing shared passwords,” remarked Tim Steinkopf, Centrify CEO. FINN Partners, on behalf of Centrify, surveyed 1,000 IT decision makers (500 in the U.S. and 500 in the U.K.) online in October 2018. Please see the study here for more on the methodology.

How You Choose To Secure Privileged Credentials Determines Your Future 

Identities are the new security perimeter. Threats can emerge within and outside any organization, at any time. Bad actors, or those who want to breach a system for financial gain or to harm a business, aren’t just outside. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey.

Attackers are increasingly logging in using weak, stolen, or otherwise compromised credentials. Centrify’s survey underscores how the majority of organizations’ IT departments have room for improvement when it comes to protecting privileged access credentials, which are the ‘keys to the kingdom.’ Reading the survey makes one realize that forward-thinking enterprises who are prioritizing privileged credential security gain major cost and time advantages over their competitors. They’re able to keep their momentum going across every area of their business by not having to recover from breaches or incur millions of dollars on losses or fines as the result of a breach.

One of the most promising approaches to securing every privileged identity and threat space within and outside an organization is Zero Trust Privilege (ZTP). ZTP enables an organizations’ IT team to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Key Lessons Learned from the Centrify Survey

How wide the gap is between organizations who see identities as the new security perimeter and are adopting a Zero Trust approach to securing them and those that aren’t is reflected in the results of Centrify’s Privileged Access Management in the Modern Threatscape surveyThe following are the key lessons learned of where and how organizations can begin to close the security gaps they have that leave them vulnerable to privileged credential abuse and many other potential threats:

  • Organizations’ most technologically advanced areas that are essential for future growth and attainment of strategic goals are often the most unprotected. Big Data, cloud, containers and network devices are the most important areas of any IT infrastructure. According to Centrify’s survey, they are the most unprotected as well. 72% of organizations aren’t securing containers with privileged access controls. 68% are not securing network devices like hubs, switches, and routers with privileged access controls. 58% are not securing Big Data projects with privileged access controls. 45% are not securing public and private cloud workloads with privileged access controls. The study finds that UK-based businesses lag U.S.-based ones in each of these areas as the graphic below shows:

  • Only 36% of U.K. organizations are very confident in their company’s current IT security software strategies, compared to 65% in the U.S. The gap between organizations with hardened security strategies that have a higher probability of withstanding breach attempts is wide between U.K. and U.S.-based businesses. 44% of U.K. respondents weren’t positive about what Privileged Access Management is, versus 26% of U.S. respondents. 60% of U.K. respondents don’t have a password vault.

  • Just 35% of U.S. organizations and 30% of those in the UK are relying on Privileged Access Management to manage partners’ access to privileged credentials and infrastructure. Partners are indispensable for scaling any new business strategy and expanding an existing one across new markets and countries. Forward-thinking organizations look at every partner associates’ identity as a new security perimeter. The 35% of U.S.-based organizations doing this have an immediate competitive advantage over the 65% who aren’t. By enforcing PAM across their alliances and partnerships, organizations can achieve uninterrupted growth by eliminating expensive and time-consuming breaches that many businesses never fully recover from.
  • Organizations’ top five security projects for 2019 include protecting cloud data, preventing data leakage, analyzing security incidents, improving security education/awareness and encrypting data. These top five security projects could be achieved at scale by having IT teams implement a Zero Trust-based approach to Privileged Access Management (PAM). The time, cost and scale advantages of getting the top five security projects done using Zero Trust would free up IT teams to focus on projects that deliver direct revenue gains for example.

Conclusion

Centrify’s survey shows organizations are granting too much trust and privilege, opening themselves up to potential internal and externally-driven breaches initiated with compromised privileged access credentials. It also reveals that there is a strong desire to adhere to best practices when it comes to PAM (51% of respondents) and that the reason it is not being adequately implemented rarely has to do with prioritization or difficulty but rather budget constraints and executive buy-in.

The survey also shows U.K. – and U.S.-based organizations need to realize identity is the new security perimeter. For example, only 37% of respondents’ organizations are able to turn off privileged access for an employee who leaves the company within one day, leaving a wide-open exposure point that can continue to be exploited.

There are forward-thinking organizations who are relying on Zero Trust Privilege as a core part of their digital transformation efforts as well. The survey found that given a choice, respondents are most likely to say digital transformation (40%) is one of the top 3 projects they’d prefer to work on, followed by Endpoint Security (37%) and Privileged Access Management (28%). Many enterprises see digital transformation’s missing link being Zero Trust and the foundation for redefining their businesses by defining every identity as a new security perimeter, so they can securely scale and grow faster than before.

Advertisements

What IoT Leaders Do To Drive Greater Results

  • IoT Leaders are achieving cost and revenue gains of at least 15% or more, while laggards see less than 5%.
  • Pursuing 80% more IoT use cases compared to their peers, IoT Leaders are progressing faster down the learning curve of monetizing their application areas.
  • IoT Leaders anticipate that their IoT use cases will boost their gross profits by 13% over the next three years, three times as much as IoT laggards.

What IoT leaders do to excel and drive greater results compared to their peers is explored in the recent McKinsey report, What separates leaders from laggards in the Internet of Things. The study is based on interviews with 300 IoT executive-level practitioners from companies with more than $500M revenues which are implementing large-scale IoT strategies with projects that have progressed from pilot to production. Enterprises from 11 major industry segments from Canada, China, Germany, and the United States were included in the survey.

McKinsey found 16% of enterprises have IoT programs in production, delivering aggregate cost and revenue impacts of at least 15%. The study also found 16% of enterprises are lagging, attaining aggregate revenue and cost improvements of less than 5%. The following graphic compares companies by the level of financial impact from IoT initiatives:

Nine practices differentiate IoT Leaders from laggards, and the study provides a fascinating look into each based on the survey data. Key insights into IoT Leader’s practice areas is provided here:

  • Leaders are more aggressive about pursuing a greater number, scope, and variety of IoT applications and use cases than their less successful peers. What IoT Leaders learn quickly is how steep the IoT learning curve is, and how it’s essential to run as many IoT pilots as possible to learn more. Leaders discover the first 15 or so IoT use cases typically have a modest payback, with the average payback rising until approximately 30 use cases have been achieved. IoT Leaders anticipate that their IoT use cases will boost their gross profits by 13% over the next three years, three times as much as IoT laggards. The following graphic illustrates the financial impact per IoT use case by the cumulative number of IoT use cases enterprises initiate.

  • Leaders are more willing than their peers to change business processes to unlock IoT’s value. McKinsey found IoT Leaders are three times more likely than their peers to say that managing changes to business processes is one of the three most important capabilities for implementing IoT. CEOs who champion their company’s IoT initiatives make strong contributions in this area, removing barriers and roadblocks quickly to keep IoT programs moving forward.
  • Leaders design, pilot and move to production IoT use cases that rely on advanced endpoints far more than their peers. McKinsey finds that IoT Leaders are more visionary and aggressive than peers in developing applications with advanced endpoints.  Leaders are gaining expertise and mastery of how to creatively use advanced endpoints today, reporting higher levels of satisfaction and positive results.

  • Leaders clearly define how IoT will create value and excel in building effective business cases. McKinsey found that IoT Leaders are 75% more likely than their peers to cite the preparation of a strong business case as a critical success factor for their IoT programs. The study’s respondents who have an IoT vision that includes a strong value proposition, a proven delivery model, and a business model that drives revenue are getting results faster than their peers. 35% of Leaders rate the importance of “strong business case and vision for value creation” as one of the top three success factors versus 20% of laggards. Leaders leave nothing to chance when it comes to defining how IoT will deliver business value either in the form of greater revenue or reduced costs.

  • A CEO’s involvement and support are essential for any enterprise to succeed with  IoT. Based on personal experience with IoT pilots, C-level executives are indispensable in removing barriers and making process-level changes necessary for success. 72% of the surveyed executives agree. A vital catalyst of any enterprise succeeding with IoT is a clear, unequivocal time commitment on the part of the CEO. Enterprises in the Leaders quintile were 2.4 more likely than laggards to report that their CEO serves as the champion of IoT efforts as the following graphic illustrates:

  • Leaders credit strong alignment with IoT strategies and priorities enterprise-wide as a critical factor in their success. IoT initiatives and pilots on their way to production require executives, managers, and frontline workers to learn fresh skills and collaborate across business and functional boundaries in new ways. Enterprises need to have a strong unifying vision of where they’re going with IoT, with the CEO championing the change management required to make sure they succeed.
  • Leaders begin by adding IoT capability to existing products and services first. McKinsey found that Leaders are three times more likely than their peers to make their top priority adding IoT capabilities to existing products. They focus on how to turn the current scale they’ve achieved with suppliers, selling and service networks into a formidable competitive advantage. They’re also more adept at cross-selling and up-selling IoT-enabled products by capitalizing on current customer relationships. The following graphic compares enterprises’ single highest-priority IoT effort:

  • Leaders excel at tapping into, scaling and relying on an ecosystem of partners for innovation versus doing it all themselves. McKinsey finds that IoT Leaders excel at scaling their partner ecosystems faster and more strategically than their peers. IoT Leaders also rely more on partners for the latest technology innovations instead of attempting to create them entirely on their own. They’re also deliberately choosing IoT platforms that support third-party developers and the advanced endpoints as the graphic below shows:

  • Leaders prepare for cyber attacks, so they don’t slow things down. McKinsey found that 30% of enterprises from both IoT Leaders and their peers say that they’ve experienced cyber attacks that have resulted in high to severe damage. 57% of Leaders had been the target of cyber attacks compared to 44% of their peers. The higher number of cyber attacks happening for Leaders is due to the broader threat surface their many pilots, and production-level use cases create. The more distributed and varied IoT use cases are the greater the risk of privileged credential abuse as well. Thwarting privileged credential abuse needs to start with a least privilege access approach, minimizing each attack surface, improving audit and compliance visibility while reducing risk, complexity, and costs. Leaders in Zero Trust include CentrifyMobileIronPalo Alto Networks, and others.

Digital Transformation’s Missing Link Is Zero Trust

    • Enterprises will invest $2.4T by 2020 in digital transformation technologies including cloud platforms, cognitive systems, IoT, mobile, robotics, and integration services according to the World Economic Forum.
    • Digital transformation software and services revenue in the U.S. is predicted to reach $490B in 2025, soaring from $190B in 2019, attaining a Compound Annual Growth Rate (CAGR) of 14.49% according to Grand View Research published by Statista.
    • IDC predicts worldwide spending on the technologies and services that enable the digital transformation of business practices, products, and organizations will reach $1.97T in 2022.
    • Legacy approaches to Privileged Access Management (PAM) don’t protect the new threatscapes digital transformation initiatives create, making Zero Trust Privilege essential for enterprises.

B2B customers, including manufacturers looking to replace legacy production equipment with smart, connected machines, have high expectations when it comes to product quality, ease of integration, and intuitive user experiences. Replacing factories full of legacy assets with smart, connected machinery is one of the most powerful catalysts driving digital transformation today. Innovative smart, connected machinery and the performance gains they provide are the oxygen that keeps customer relationships alive. That’s why digital transformation forecasts from the World Economic Forum, Grand View ResearchIDC, and many others predict perennial growth. The many forecasts reflect a fundamental truth: digital transformation done with intensity creates a customer-driven renaissance for any business.

Businesses digitally transforming themselves are succeeding because they’ve made themselves accountable and transparent to customers. Earning and protecting that trust is the heartbeat of any business’ growth. 51% of enterprises invest in digital transformation to capture growth opportunities in new markets, with 46% investing to stay in front of evolving customer behaviors and preferences. Brian Solis’ excellent report, The State of Digital Transformation, 2018 – 2019 Edition (31 pp., PDF, opt-in) shows how digitally transforming any business with the customer first leads to greater growth. The graphic from his study illustrates this point:

 

Closing The Digital Transformation Gap With Zero Trust

Gaps exist between the results digital transformation initiatives are delivering today, and the customer-driven value they’re capable of. According to Gartner, 75% of digital transformation projects are not aligned internally today, leading to delayed new product launches, mediocre experiences, and greater security risks than ever before. Interactive, IoT-enabled experiences and products are expanding the threatscape of enterprises to include Big Data, cloud, containers, DevOps, IoT systems, and more. With that comes a host of new exposure points, many of which allow access to sensitive data that must be protected with modern Privileged Access Management solutions that reduce risk in these modern enterprise use cases.

The new security perimeter is identity. Forrester estimates that 80% of data breaches are caused by privileged access abuse. Every smart, connected machine that replaces legacy production equipment is another identity that defines a manufacturer’s security perimeter.

As the use cases and adoption of smart, connected machines proliferate, so too does the urgency that manufacturers need to replace their legacy approaches to Privileged Access Management (PAM). Relying on outdated strategies for protecting administrative access to all machines needs to be replaced with a “never trust, always verify, enforce least privilege” approach.

IT needs to improve how they’re protecting the most privileged access credentials, the ‘keys to the kingdom,’ by granting just-enough, just-in-time privilege. Of the many cybersecurity approaches available today, Zero Trust Privilege (ZTP) enables IT to grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

The more diverse any digital transformation strategy, the greater the risk of privileged credential abuse. Thwarting privileged credential abuse needs to start with a least privilege access approach, minimizing each attack surface, improving audit and compliance visibility while reducing risk, complexity, and costs. Leaders in Zero Trust include CentrifyMobileIronPalo Alto Networks, and others. Of these companies, Centrify’s approach to Zero Trust to prevent privileged access abuse shows the greatest potential for securing digital transformation initiatives and strategies.

How To Secure Digital Transformation Strategies

IDG Research found in their Security Priorities for 2018 study that 71% of security-focused IT decision-makers are aware of the Zero Trust model and 18% of enterprises are either running pilots or have implemented Zero Trust.

Zero Trust Privilege (ZTP) is the force multiplier digital transformation initiatives need to reach their true potential by securing administrative access to the complex mix of machinery and infrastructure – and the sensitive data they hold and use – that manufacturers rely on daily.

Starting with a strategic perspective, ZTP’s contribution to securing digital transformation deployments apply to every area of planning, pilots, platforms, product, and service data being designed to stop the leading cause of breaches, which is privileged credential abuse. The following graphic illustrates how ZTP needs to span every aspect of an enterprise’s digital transformation capabilities.

Source: World Economic Forum, Digital Transformation Initiative, May 2018

Conclusion

By 2020, 30% of Global 2000 companies will have allocated capital budget equal to at least 10% of revenue to fuel their digital transformation strategies according to IDC.  European spending on technologies and services that enable the digital transformation of business practices, products, and organizations is forecasted to reach $378.2B in 2022. The perennial growth these forecasts promise is predicated on enterprises delivering new experiences and innovative products, which create the oxygen that keeps their customer relationships alive.

Amidst all the potential for growth, enterprises need to realize every new infrastructure element, machine, or connected production asset is a new identity that collectively comprises the fabric of their security perimeter. Legacy cybersecurity approaches won’t scale to protect the proliferating number of smart machines being put into use today. Relying entirely on legacy approaches to PAM, where privileged access to systems and resources only inside the network are secure, is failing today. Smart, connected machinery and the products and experiences they deliver require an entirely new cybersecurity strategy, one based on a “never trust, always verify, enforce least privilege” approach. Centrify Zero Trust Privilege shows potential to meet this challenge by granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Predicting The Future Of Next-Gen Access And Zero Trust Security In 2019

Bottom Line:  The most valuable catalyst all digital businesses need to continue growing in 2019 is a Zero Trust Security (ZTS) strategy based on Next-Gen Access (NGA) that scales to protect every access point to corporate data, recognizing that identities are the new security perimeter.

The faster any digital business is growing, the more identities, devices and network endpoints proliferate. The most successful businesses of 2019 and beyond are actively creating entirely new digital business models today. They’re actively recruiting, and onboarding needed experts independent of their geographic locations and exploring new sourcing and patent ideas with R&D partners globally. Businesses are digitally transforming themselves at a faster rate than ever before. Statista projects businesses will spend $190B on digital transformation in 2019, soaring to $490B by 2025, attaining a 14.4% Compound Annual Growth Rate (CAGR) in six years.

Security Perimeters Make Or Break A Growing Business

80% of IT security breaches involve privileged credential access according to a recent Forrester study. The Verizon Mobile Security Index 2018 Report found that 89% of organizations are relying on just a single security strategy to keep their mobile networks safe. A typical data breach cost the average company $3.86M in 2018, up 6.4% from $3.62M in 2017 according to IBM Security’s latest  2018 Cost of a Data Breach Study.

The hard reality for any digital business is realizing that their greatest growth asset is how well they protect the constantly expanding perimeter of their business. Legacy approaches to securing infrastructure that relies on trusted and untrusted domains can’t scale to protect every identity and device that comprises a company’s rapidly changing new security perimeter. All these factors and more are why Zero Trust Security (ZTS) enabled by Next-Gen Access (NGA) is as essential to digital businesses’ growth as their product roadmaps, pricing strategies, and services with Idaptive being an early leader in the market. To learn more about Identity-as-a-Service please see the Forrester report, The Forrester Wave™: Identity-As-A-Service, Q4 2017 (client access required)

Predicting The Future Of Next-Gen Access And Zero Trust Security

The following are predictions of how Next-Gen Access (NGA) powered by Zero Trust Security (ZTS) will evolve in 2019:

  • Behavior-based scoring algorithms will improve markedly in 2019, improving the user experience by calculating risk scores with greater precision than before. Thwarting attacks start with a series of behavior-based algorithms that calculate a risk score based on a wide variety of variables including past access attempts, device security posture, operating system, location, time of day, and many other measurable factors. Expect to see these algorithms and the risk scores they generate using machine learning techniques improve from accuracy and contextual intelligence standpoint in 2019. Leading companies in the field including Idaptive are actively investing in machine learning technologies to accomplish this today.
  • Multifactor Authentication (MFA) adoption soars as digital businesses seek to protect new R&D projects, patents in progress, roadmaps, and product plans. State-sponsored hacking organizations and organized crime see the intellectual property in fast-growing digital businesses as among the most valuable assets they can exfiltrate and sell on the Dark Web. MFA, one of the most effective single defenses against compromised passwords, will be adopted by the most successful businesses in AI, aerospace & defense, chip design for cellular and IoT devices, e-commerce, enterprise software and more.
  • Smart, connected products without adequate security designed in will proliferate in 2019, further challenging the security perimeters of the digital businesses. The era of smart, connected products is here, with Capgemini estimating the size of the connected products market will be $519B to $685B by 2020. Manufacturers expect close to 50% of their products to be smart, connected products by 2020, according to Capgemini’s Digital Engineering: The new growth engine for discrete manufacturers. The study is downloadable here (PDF, 40 pp., no opt-in). With every smart, connected device creating a new threat surface for a company, expect to see at least one device manufacturer design Zero Trust Security (ZTS) support to the board level to increase their sales into enterprises by reducing the threat of a breach starting from their device.
  • Looking for greater track and traceability, healthcare and medical products supply chains will adopt Zero Trust Security (ZTS). What’s going to make this an urgent issue in healthcare and medical products are the combined effects of greater regulatory reporting and compliance, combined with the pressure to improve time-to-market for new products and delivery accuracy for current customers. The pillars of ZTS are a perfect fit for healthcare and medical supply chains’ need for track and traceability. These pillars are real-time user verification, device validation, and intelligently limiting access, while also learning and adapting to verified user behaviors.
  • Real-time Security Analytics Services is going to thrive in 2019 as digital businesses seek insights into how they can fine-tune their ZTS strategies across every threat surface and machine learning algorithms improve. Many enterprises are in for an epiphany in 2019 when they see just how many potential breaches they’ve stopped using a combination of security strategies including Single Sign-On (SSO) and Multi-factor Authentication (MFA). Machine learning algorithms will continue to improve using behavior-based scoring, further improving the user experience. Leaders in the field include Idaptive who is setting a rapid pace of innovation in Real-Time Security Analytics Services.   

Conclusion

Security is at an inflection point today. Long-standing methods of protecting IT systems and a businesses’ assets can’t scale to protect every new identity, device or threat surface. When every identity is a new security perimeter, a new approach is needed to securing any digital business. The pillars of ZTS including real-time user verification, device validation, and intelligently limiting access, while also learning and adapting to verified user behaviors are proving to be effective at thwarting breaches and securing company’ digital assets of all kinds. It’s time for more digital businesses to see security as the growth catalyst it is and take action now to ensure their operations continue to flourish.

How To Protect Healthcare IoT Devices In A Zero Trust World

  • Over 100M healthcare IoT devices are installed worldwide today, growing to 161M by 2020, attaining a Compound Annual Growth Rate (CAGR) of 17.2% in just three years according to Statista.
  • Healthcare executives say privacy concerns (59%), legacy system integration (55%) and security concerns (54%) are the top three barriers holding back Internet of Things (IoT) adoption in healthcare organizations today according to the Accenture 2017 Internet of Health Things Survey.
  • The global IoT market is projected to soar from $249B in 2018 to $457B in 2020, attaining a Compound Annual Growth Rate (CAGR) of 22.4% in just three years according to Statista.

Healthcare and medical device manufacturers are in a race to see who can create the smartest and most-connected IoT devices first. Capitalizing on the rich real-time data monitoring streams these devices can provide, many see the opportunity to break free of product sales and move into more lucrative digital service business models. According to Capgemini’s “Digital Engineering, The new growth engine for discrete manufacturers,” the global market for smart, connected products is projected to be worth $519B to $685B by 2020. The study can be downloaded here (PDF, 40 pp., no opt-in). 47% of a typical manufacturer’s product portfolio by 2020 will be comprised of smart, connected products. In the gold rush to new digital services, data security needs to be a primary design goal that protects the patients these machines are designed to serve. The following graphic from the study shows how organizations producing smart, connected products are making use of the data generated today.

Healthcare IoT Device Data Doesn’t Belong For Sale On The Dark Web

Every healthcare IoT device from insulin pumps and diagnostic equipment to Remote Patient Monitoring is a potential attack surface for cyber adversaries to exploit. And the healthcare industry is renowned for having the majority of system breaches initiated by insiders. 58% of healthcare systems breach attempts involve inside actors, which makes this the leading industry for insider threats today according to Verizon’s 2018 Protected Health Information Data Breach Report (PHIDBR).

Many employees working for medical providers are paid modest salaries and often have to regularly work hours of overtime to make ends meet. Stealing and selling medical records is one of the ways those facing financial challenges look to make side money quickly and discreetly. And with a market on the Dark Web willing to pay up to $1,000 or more for the most detailed healthcare data, according to Experian, medical employees have an always-on, 24/7 marketplace to sell stolen data. 18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000, and 24% of employees know of someone who has sold privileged credentials to outsiders, according to a recent Accenture survey. Healthcare IoT devices are a potential treasure trove to inside and outside actors who are after financial gains by hacking the IoT connections to smart, connected devices and the networks they are installed on to exfiltrate valuable medical data.

Healthcare and medical device manufacturers need to start taking action now to secure these devices during the research and development, design and engineering phases of their next generation of IoT products. Specifying and validating that every IoT access point is compatible and can scale to support Zero Trust Security (ZTS) is essential if the network of devices being designed and sold will be secure. ZTS is proving to be very effective at thwarting potential breach attempts across every threat surface an organization has. Its four core pillars include verifying the identity of every user, validating every device, limiting access and privilege, and utilizing machine learning to analyze user behavior and gain greater insights from analytics.

The First Step Is Protect Development Environments With Zero Trust Privilege

Product research & development, design, and engineering systems are all attack surfaces that cyber adversaries are looking to exploit as part of the modern threatscape. Their goals include gaining access to valuable Intellectual Property (IP), patents and designs that can be sold to competitors and on the Dark Web, or damaging and destroying development data to slow down the development of new products. Another tactic lies in planting malware in the firmware of IoT devices to exfiltrate data at scale.

Attack surfaces and the identities that comprise the new security perimeter of their companies aren’t just people; they are workloads, services, machines, and development systems and platforms. Protecting every attack surface with cloud-ready Zero Trust Privilege (ZTP) which secures access to infrastructure, DevOps, cloud, containers, Big Data, and the entire development and production environment is needed.

Zero Trust Privilege can harden healthcare and medical device manufacturers’ internal security, only granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. By implementing least privilege access, healthcare and medical device manufacturers would be able to minimize attack surfaces, improve audit and compliance visibility, and reduces risk, complexity, and costs across their development and production operations.

The Best Security Test Of All: An FDA Audit

Regulatory agencies across Asia, Europe, and North America are placing a higher priority than ever before on cybersecurity to the device level. The U.S. Food & Drug Administration’s Cybersecurity Initiative is one of the most comprehensive, providing prescriptive guidance to manufacturers on how to attain higher levels of cybersecurity in their products.

During a recent healthcare device and medical device manufacturer’s conference, a former FDA auditor (and now Vice President of Compliance) gave a fascinating keynote on the FDA’s intent to audit medical device security at the production level. Security had been an afterthought or at best a “trust but verify” approach that relied on trusted versus untrusted machine domains. That will no longer be the case, as the FDA will now complete audits that are comparable to Zero Trust across manufacturing operations and devices.

As Zero Trust Privilege enables greater auditability than has been possible in the past, combined with a “never trust, always verify” approach to system access, healthcare device, and medical products manufacturers should start engineering in Zero Trust into their development cycles now.

IBM’s 2018 Data Breach Study Shows Why We’re In A Zero Trust World Now

  • Digital businesses that lost less than 1% of their customers due to a data breach incurred a cost of $2.8M, and if 4% or more were lost the cost soared to $6M.
  • U.S. based breaches are the most expensive globally, costing on average $7.91M with the highest global notification cost as well, $740,000.
  • A typical data breach costs a company $3.86M, up 6.4% from $3.62M last year.
  • Digital businesses that have security automation can minimize the costs of breaches by $1.55M versus those businesses who are not ($2.88M versus $4.43M).
  • 48% of all breaches are initiated by malicious or criminal attacks.
  • Mean-time-to-identify (MTTI) a breach is 197 days, and the mean-time-to-contain (MTTC) is 69 days.

These and many other insights into the escalating costs of security breaches are from the 2018 Cost of a Data Breach Study sponsored by IBM Security with research independently conducted by Ponemon Institute LLC. The report is downloadable here (PDF, 47 pp. no opt-in).

The study is based on interviews with more than 2,200 compliance, data protection and IT professionals from 477 companies located in 15 countries and regions globally who have experienced a data breach in the last 12 months. This is the first year the use of Internet of Things (IoT) technologies and security automation are included in the study. The study also defines mega breaches as those involving over 1 million records and costing $40M or more. Please see pages 5, 6 and 7 of the study for specifics on the methodology.

The report is a quick read and the data provided is fascinating. One can’t help but reflect on how legacy security technologies designed to protect digital businesses decades ago isn’t keeping up with the scale, speed and sophistication of today’s breach attempts. The most common threat surface attacked is compromised privileged credential access. 81% of all breaches exploit identity according to an excellent study from Centrify and Dow Jones Customer Intelligence, CEO Disconnect is Weakening Cybersecurity (31 pp, PDF, opt-in).

The bottom line from the IBM, Centrify and many other studies is that we’re in a Zero Trust Security (ZTS) world now and the sooner a digital business can excel at it, the more protected they will be from security threats. ZTS begins with Next-Gen Access (NGA) by recognizing that every employee’s identity is the new security perimeter for any digital business.

Key takeaways from the study include the following:

  • U.S. based breaches are the most expensive globally, costing on average $7.91M, more than double the global average of $3.86M. Nations in the Middle East have the second-most expensive breaches globally, averaging $5.31M, followed by Canada, where the average breach costs a digital business $4.74M. Globally a breach costs a digital business $3.86M this year, up from $3.62M last year. With the costs of breaches escalating so quickly and the cost of a breach in the U.S. leading all nations and outdistancing the global average 2X, it’s time for more digital businesses to consider a Zero Trust Security strategy. See Forrester Principal Analyst Chase Cunningham’s recent blog post What ZTX Means For Vendors And Users, from the Forrester Research blog for where to get started.

  • The number of breached records is soaring in the U.S., the 3rd leading nation of breached records, 6,850 records above the global average. The Ponemon Institute found that the average size of a data breach increased 2.2% this year, with the U.S. leading all nations in breached records. It now takes an average of 266 days to identify and contain a breach (Mean-time-to-identify (MTTI) a breach is 197 days and the mean-time-to-contain (MTTC) is 69 days), so more digital businesses in the Middle East, India, and the U.S. should consider reorienting their security strategies to a Zero Trust Security Model.

  • French and U.S. digital businesses pay a heavy price in customer churn when a breach happens, among the highest in the world. The following graphic compares abnormally high customer churn rates, the size of the data breach, average total cost, and per capita costs by country.

  • U.S. companies lead the world in lost business caused by a security breach with $4.2M lost per incident, over $2M more than digital businesses from the Middle East. Ponemon found that U.S. digitally-based businesses pay an exceptionally high cost for customer churn caused by a data breaches. Factors contributing to the high cost of lost business include abnormally high turnover of customers, the high costs of acquiring new customers in the U.S., loss of brand reputation and goodwill. U.S. customers also have a myriad of competitive options and their loyalty is more difficult to preserve. The study finds that thanks to current notification laws, customers have a greater awareness of data breaches and have higher expectations regarding how the companies they are loyal to will protect customer records and data.

Conclusion

The IBM study foreshadows an increasing level of speed, scale, and sophistication when it comes to how breaches are orchestrated. With the average breach globally costing $4.36M and breach costs and lost customer revenue soaring in the U.S,. it’s clear we’re living in a world where Zero Trust should be the new mandate.

Zero Trust Security starts with Next-Gen Access to secure every endpoint and attack surface a digital business relies on for daily operations, and limit access and privilege to protect the “keys to the kingdom,” which gives hackers the most leverage. Security software providers including Centrify are applying advanced analytics and machine learning to thwart breaches and many other forms of attacks that seek to exploit weak credentials and too much privilege. Zero Trust is a proven way to stay at parity or ahead of escalating threats.

Zero Trust Security Update From The SecurIT Zero Trust Summit

  • Identities, not systems, are the new security perimeter for any digital business, with 81% of breaches involving weak, default or stolen passwords.
  • 53% of enterprises feel they are more susceptible to threats since 2015.
  • 51% of enterprises suffered at least one breach in the past 12 months and malicious insider incidents increased 11% year-over-year.

These and many other fascinating insights are from SecurIT: the Zero Trust Summit for CIOs and CISOs held last month in San Francisco, CA. CIO and CSO produced the event that included informative discussions and panels on how enterprises are adopting Next-Gen Access (NGA) and enabling Zero Trust Security (ZTS). What made the event noteworthy were the insights gained from presentations and panels where senior IT executives from Akamai, Centrify, Cisco, Cylance, EdgeWise, Fortinet, Intel, Live Nation Entertainment and YapStone shared their key insights and lessons learned from implementing Zero Trust Security.

Zero Trust’s creator is John Kindervag, a former Forrester Analyst, and Field CTO at Palo Alto Networks.  Zero Trust Security is predicated on the concept that an organization doesn’t trust anything inside or outside its boundaries and instead verifies anything and everything before granting access. Please see Dr. Chase Cunningham’s excellent recent blog post, What ZTX means for vendors and users, for an overview of the current state of ZTS. Dr. Chase Cunningham is a Principal Analyst at Forrester.

Key takeaways from the Zero Trust Summit include the following:

  • Identities, not systems, are the new security perimeter for any digital business, with 81% of breaches involving weak, default or stolen passwords. Tom Kemp, Co-Founder, and CEO, Centrify, provided key insights into the current state of enterprise IT security and how existing methods aren’t scaling completely enough to protect every application, endpoint, and infrastructure of any digital business. He illustrated how $86B was spent on cybersecurity, yet a stunning 66% of companies were still breached. Companies targeted for breaches averaged five or more separate breaches already. The following graphic underscores how identities are the new enterprise perimeter, making NGA and ZTS a must-have for any digital business.

  • 53% of enterprises feel they are more susceptible to threats since 2015. Chase Cunningham’s presentation, Zero Trust and Why Does It Matter, provided insights into the threat landscape and a thorough definition of ZTX, which is the application of a Zero Trust framework to an enterprise. Dr. Cunningham is a Principal Analyst at Forrester Research serving security and risk professionals. Forrester found the percentage of enterprises who feel they are more susceptible to threats nearly doubled in two years, jumping from 28% in 2015 to 53% in 2017. Dr. Cunningham provided examples of how breaches have immediate financial implications on the market value of any business with specific focus on the Equifax breach.

Presented by Dr. Cunningham during SecurIT: the Zero Trust Summit for CIOs and CISOs

  • 51% of enterprises suffered at least one breach in the past 12 months and malicious insider incidents increased 11% year-over-year. 43% of confirmed breaches in the last 12 months are from an external attack, 24% from internal attacks, 17% are from third-party incidents and 16% from lost or stolen assets. Consistent with Verizon’s 2018 Data Breach Investigations Report use of privileged credential access is a leading cause of breaches today.

Presented by Dr. Cunningham during SecurIT: the Zero Trust Summit for CIOs and CISOs

                       

  • One of Zero Trust Security’s innate strengths is the ability to flex and protect the perimeter of any growing digital business at the individual level, encompassing workforce, customers, distributors, and Akamai, Cisco, EdgeWise, Fortinet, Intel, Live Nation Entertainment and YapStone each provided examples of how their organizations are relying on NGA to enable ZTS enterprise-wide. Every speaker provided examples of how ZTS delivers several key benefits including the following: First, ZTS reduces the time to breach detection and improves visibility throughout a network. Second, organizations provided examples of how ZTS is reducing capital and operational expenses for security, in addition to reducing the scope and cost of compliance initiatives. All companies presenting at the conference provided examples of how ZTS is enabling greater data awareness and insight, eliminating inter-silo finger-pointing over security responsibilities and for several, enabling digital business transformation. Every organization is also seeing ZTS thwart the exfiltration and destruction of their data.

Conclusion

The SecurIT: the Zero Trust Summit for CIOs and CISOs event encapsulated the latest advances in how NGA is enabling ZTS by having enterprises who are adopting the framework share their insights and lessons learned. It’s fascinating to see how Akamai, Cisco, Intel, Live Nation Entertainment, YapStone, and others are tailoring ZTS to their specific customer-driven goals. Each also shared their plans for growth and how security in general and NGA and ZTS specifically are protecting customer and company data to ensure growth continues, uninterrupted.

 

 

How Machine Learning Quantifies Trust & Improves Employee Experiences

Bottom Line: By enabling enterprises to scale security with user behavior-based, contextual intelligence, Next-Gen Access strategies are delivering Zero Trust Security (ZTS) enterprise-wide, enabling the fastest companies to keep growing strong.

Every digital business is facing a security paradox today created by their proliferating amount of applications, endpoints and infrastructure on the one hand and the need to scale enterprise security without reducing the quality of user experiences on the other. Businesses face a continual series of challenges to growth, the majority of which are scale-based. Scaling security takes a multidimensional approach that accurately interprets user behavior, risk and threat predictions, and assesses data use and access patterns.

How Enterprises Are Solving The Security Paradox With Next-Gen Access

Security defies simple, scale-based solutions because its processes are ingrained in many different systems across a company. Each of the many systems security relies on and protects have their cadence, speed, and scale. When a company is growing fast, core systems including accounting, CRM, finance, pricing, sales, services, supply chain and human resources become security-constrained. It’s common for companies experiencing high growth to choose expediency over security. 32% of enterprises are sacrificing security for expediency and business performance, leaving many areas of their core infrastructure unsecured according to the Verizon Mobile Security Index 2018 Report.

The hard reality for any growing business is the faster they grow; the more sophisticated and strong they need to become at security. Protecting intellectual property (IP), all data assets and eradicating threats assures uninterrupted, profitable growth. Adding new suppliers, sales teams, distribution partners and service centers can’t be slowed down by legacy-based approaches to user authentication and system access.  The challenge is the faster a business is growing, the slower its legacy approaches to security reacts, slowing down sales cycles, supplier qualifications, and pipelines.

Next-Gen Access solves the security paradox of fast-growing businesses, enabling Zero Trust Security (ZTS) enterprise-wide by solving the following major challenges of a high growth business:

  1. Quit relying on brute-force Multi-Factor Authentication (MFA) techniques that deliver mediocre user experiences and slow down productivity. Any company can still attain Zero Trust Security (ZTS) without reverting to brute-force approaches to MFA. Get away from the idea of having MFA challenges be for every user on every device they use to access every resource. Instead look to Next-Gen Access (NGA) to quantify context, device, and behavioral patterns and derive risk scores for each user.
  2. Begin to rely on Next-Gen Access, Risk-Aware MFA, and Risk Scores to quantify trust and set the foundation of a Zero Trust Security (ZTS) enterprise-wide strategies. The goal is to keep growth going strong, uninterrupted by any security event or breach. Next-Gen Access (NGA) provides behavioral, contextual intelligence indexed as a risk score for each user, enabling more secure and efficient user experiences. NGA is built on a platform that includes Identity-as-a-Service (IDaaS), Enterprise Mobility Management (EMM) and Privileged Access Management (PAM). They are also the essential components for creating and fine-tuning Zero Trust Security (ZTS) across fast-growing businesses. Taken together in a concerted strategy, ZTS delivers greater control and visibility over every resource in a company.
  3. Identify potential security risks on a per-user basis to the device level and limiting access while asking for identity verification without impacting user experiences. NGA takes contextual and user intelligence into account when deciding which resources will be available to a given user based on their previous login and system use actions and behaviors quantified in their risk score. Machine learning algorithms are used to find patterns in user behavior that could signal a potential security risk. Based on the risk score, conditional access is provided or not. All of this is done in seconds and doesn’t impact the user experience.
  4. Rely on more NGA that learns user’s behavioral patterns over time and improves the user experience, scaling Zero Trust Security enterprise-wide. Solving the paradox of scaling security in fast-growing companies needs to start with a machine learning-based approach to finding and acting on user’s behavioral and contextual activity. As NGA “learns” how valid users interact with security, updating risk scores and performing identity verification, the quality of a user’s experience improves. In fast-growing companies adding new employees, partners, and suppliers, this is invaluable as every new user will generate a risk score. Quantifying trust using NGA, the foundation of any ZTS strategy makes fast, secure profitable growth possible.
  5. The era of ZTS has arrived, and it is accentuating the importance of partnering with security providers who excel at offering Next-Gen Access solutions. ZTS will continue to revolutionize every aspect of an organization’s security strategy, enabling digital businesses to grow faster and more securely over time. Next-Gen Access solutions are the foundations enabling enterprises to scale ZTS strategies across their businesses. Key Next-Gen access providers enabling the era of ZTS include Palo Alto Networks for firewalls and Centrify for Access. Over the next 18 months, ZTS will redefine the cybersecurity landscape as digital businesses look to Next-Gen Access solutions to securely scale their companies and grow.
%d bloggers like this: